Re: [Exim] doing SSL (not TLS) on a certain port

Top Page
Delete this message
Reply to this message
Author: Marc MERLIN
Date:  
To: Philip Hazel
CC: exim-users
Subject: Re: [Exim] doing SSL (not TLS) on a certain port
On Fri, Feb 09, 2001 at 10:36:36AM +0000, Philip Hazel wrote:
> > I still need to use stunnel for listening on the ssmtp port (465/tcp) and
> > forward connections to exim after doing SSL for it.
> > Would it be possible to have a ssl_listen_on directive which adds a port
> > exim needs to listen on, but in SSL mode (i.e. no TLS negociation).
>
> I don't understand how you can listen in SSL mode without TLS
> negotiation. How does it know what the cipher or the key is? Or do you


AFAIK, it does normal cipher negociation but starts SSL negociation as soon
as you connect.
marc:~$ telnet smtp.valinux.com ssmtp
Trying 198.186.202.175...
Connected to mail.valinux.com.
Escape character is '^]'.
foo
foo
Connection closed by foreign host.
Feb 9 11:32:38 kenny stunnel[31043]: SSL_accept: error:140760FC:SSL routines:SS
L23_GET_CLIENT_HELLO:unknown protocol

magic(@va):~$ telnet -zssl smtp.valinux.com ssmtp
Trying 198.186.202.175...
Connected to smtp.valinux.com.
Escape character is '^]'.
220 mail.valinux.com ESMTP Exim 3.22 #1 Fri, 09 Feb 2001 11:37:08 -0800 - VA int mm4
quit
221 mail.valinux.com closing connection
Connection closed by foreign host.

> mean without the STARTTLS command? The client just fires up an SSL
> session without asking?


Yep. It doesn't need to ask because you connected to the SSL port so you
want to be doing SSL.
It really works just like imap/ssl, the whole connection is wrapped with an
SSL layer.

> Is this before or after the initial banner is output?


Before.
This was all meant to work without any help from the daemon itself, you could
just slap stunnel or sslwrap around the daemon, and it just worked.
This is how imap/ssl and pop/ssl still work to this day actually.
(although for IMAP, they are now introducing STARTTLS too)

> No doubt there is no document that specifies how this is supposed to work.


Wouldn't know (actually, I did look but didn't find any), but considering
that the implementation used to be to just put an ssl wrapper around the
daemon, it may not have needed one (i.e. it was probabaly hacked in on a few
MUAs and someone may just have picked a port number)

magic [mc]# grep ssmtp /etc/services 
ssmtp           465/tcp                         # SMTP over SSL


That said, I'm told it's not a true assigned number.

> > Yes, this is used by some clients, netscape 3 and outlook (I'm told)
>
> I'm not keen on adding standard-breaking code for old clients.
> Netscape 3 has been obsolete for quite some time, hasn't it?


Yes. Then again, I have some users who use it because it doesn't crash :-)

While adding this doesn't break anything, it doesn't seem to be a standard,
and I would respect your decision not to support it.

Marc
-- 
Microsoft is to operating systems & security ....
                                      .... what McDonalds is to gourmet cooking


Home page: http://marc.merlins.org/ | Finger marc_f@??? for PGP key